base: add support for "raw ip" captures

[os12]

• there is no need to deal with L2 as it's not even there

[adulau]

There are pcap captures as raw ip where it's directly the IP raw packets (such as ulogd). I bet this patch will break such capture.

[ns-osmolsky]

There are pcap captures as raw ip where it's directly the IP raw packets (such as ulogd). I bet this patch will break such capture.

Umm... that's what I am dealing with. There "raw IP" means "no L2 header to skip".

[adulau]

Interesting, do you have a sample capture? I would like to do some tests.

[ns-osmolsky]

Here is an example:
gdrive-eof-54226.zip

[ns-osmolsky]

$ file ../samples/gdrive-eof-54226.pcap
../samples/gdrive-eof-54226.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Raw IP, capture length 2000)

[wllm-rbnt]

It works with ulogd (NFLOG target) for IPv4 only because of type = ETHERTYPE_IP.
We need type = ETHERTYPE_IPV6 for IPv6.

We could try to differentiate IP version based on the first nibble of the packets in the trace.

"RAW" PCAP if type is valid for IPv4 & IPv6:

$ file ulogd*pcap
ulogd_v4.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Raw IP, capture length 65536)
ulogd_v6.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Raw IP, capture length 65536)